[php-maint] Bug#336645: marked as done (PHP 4.4.1 fixes security bugs)

Debian Bug Tracking System owner at bugs.debian.org
Wed Jan 18 13:03:34 UTC 2006

Your message dated Wed, 18 Jan 2006 04:47:13 -0800
with message-id <E1EzCiX-0001Tz-Ev at spohr.debian.org>
and subject line Bug#336645: fixed in php4 4:4.4.2-1
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

Received: (at submit) by bugs.debian.org; 31 Oct 2005 18:15:02 +0000
>From fw at deneb.enyo.de Mon Oct 31 10:15:02 2005
Return-path: <fw at deneb.enyo.de>
Received: from mail.enyo.de [] 
	by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
	id 1EWeBS-0008Rk-00; Mon, 31 Oct 2005 10:15:02 -0800
Received: from deneb.vpn.enyo.de ([] helo=deneb.enyo.de)
	by albireo.enyo.de with esmtp id 1EWeBR-0004A5-PI
	for submit at bugs.debian.org; Mon, 31 Oct 2005 19:15:01 +0100
Received: from fw by deneb.enyo.de with local (Exim 4.54)
	id 1EWeBL-00010z-6J
	for submit at bugs.debian.org; Mon, 31 Oct 2005 19:14:55 +0100
From: Florian Weimer <fw at deneb.enyo.de>
To: submit at bugs.debian.org
Subject: PHP 4.4.1 fixes security bugs
Date: Mon, 31 Oct 2005 19:14:55 +0100
Message-ID: <87d5llpn8g.fsf at mid.deneb.enyo.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Delivered-To: submit at bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02

Package: php4
Tags: security
Severity: grave

The Hardened-PHP project has disclosed several security


The "globals problem" appears to be somewhat nasty.  It is not clear
if it applies to stable's 4.3.10 version because the security feature
which turned out to be buggy was introduced in 4.3.11, according to
the fourth link above.  (Maybe PHP before 4.3.11 is vulnerable to some
other issue; I don't know.)

As usual, the 4.4.1 release might fix additional security bugs for
which no explicit advisories are released.

Received: (at 336645-close) by bugs.debian.org; 18 Jan 2006 12:52:03 +0000
>From katie at ftp-master.debian.org Wed Jan 18 04:52:03 2006
Return-path: <katie at ftp-master.debian.org>
Received: from katie by spohr.debian.org with local (Exim 4.50)
	id 1EzCiX-0001Tz-Ev; Wed, 18 Jan 2006 04:47:13 -0800
From: Adam Conrad <adconrad at 0c3.net>
To: 336645-close at bugs.debian.org
X-Katie: $Revision: 1.65 $
Subject: Bug#336645: fixed in php4 4:4.4.2-1
Message-Id: <E1EzCiX-0001Tz-Ev at spohr.debian.org>
Sender: Archive Administrator <katie at ftp-master.debian.org>
Date: Wed, 18 Jan 2006 04:47:13 -0800
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-CrossAssassin-Score: 4

Source: php4
Source-Version: 4:4.4.2-1

We believe that the bug you reported is fixed in the latest version of
php4, which is due to be installed in the Debian FTP archive:

  to pool/main/p/php4/libapache-mod-php4_4.4.2-1_i386.deb
  to pool/main/p/php4/libapache2-mod-php4_4.4.2-1_i386.deb
  to pool/main/p/php4/php4-cgi_4.4.2-1_i386.deb
  to pool/main/p/php4/php4-cli_4.4.2-1_i386.deb
  to pool/main/p/php4/php4-common_4.4.2-1_i386.deb
  to pool/main/p/php4/php4-curl_4.4.2-1_i386.deb
  to pool/main/p/php4/php4-dev_4.4.2-1_i386.deb
  to pool/main/p/php4/php4-domxml_4.4.2-1_i386.deb
  to pool/main/p/php4/php4-gd_4.4.2-1_i386.deb
  to pool/main/p/php4/php4-ldap_4.4.2-1_i386.deb
  to pool/main/p/php4/php4-mcal_4.4.2-1_i386.deb
  to pool/main/p/php4/php4-mhash_4.4.2-1_i386.deb
  to pool/main/p/php4/php4-mysql_4.4.2-1_i386.deb
  to pool/main/p/php4/php4-odbc_4.4.2-1_i386.deb
  to pool/main/p/php4/php4-pear_4.4.2-1_all.deb
  to pool/main/p/php4/php4-pgsql_4.4.2-1_i386.deb
  to pool/main/p/php4/php4-recode_4.4.2-1_i386.deb
  to pool/main/p/php4/php4-snmp_4.4.2-1_i386.deb
  to pool/main/p/php4/php4-sybase_4.4.2-1_i386.deb
  to pool/main/p/php4/php4-xslt_4.4.2-1_i386.deb
  to pool/main/p/php4/php4_4.4.2-1.diff.gz
  to pool/main/p/php4/php4_4.4.2-1.dsc
  to pool/main/p/php4/php4_4.4.2-1_all.deb
  to pool/main/p/php4/php4_4.4.2.orig.tar.gz

A summary of the changes between this version and the previous one is

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 336645 at bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
Adam Conrad <adconrad at 0c3.net> (supplier of updated php4 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster at debian.org)

Hash: SHA1

Format: 1.7
Date: Wed, 18 Jan 2006 18:41:11 +1100
Source: php4
Binary: php4-sybase php4-recode php4-cgi libapache-mod-php4 php4-cli php4-dev php4-snmp libapache2-mod-php4 php4-odbc php4-xslt php4-mysql php4-domxml php4-gd php4-ldap php4-common php4 php4-curl php4-pear php4-mcal php4-mhash php4-pgsql
Architecture: source i386 all
Version: 4:4.4.2-1
Distribution: unstable
Urgency: low
Maintainer: Debian PHP Maintainers <pkg-php-maint at lists.alioth.debian.org>
Changed-By: Adam Conrad <adconrad at 0c3.net>
 libapache-mod-php4 - server-side, HTML-embedded scripting language (apache 1.3 module)
 libapache2-mod-php4 - server-side, HTML-embedded scripting language (apache 2.0 module)
 php4       - server-side, HTML-embedded scripting language (meta-package)
 php4-cgi   - server-side, HTML-embedded scripting language (CGI binary)
 php4-cli   - command-line interpreter for the php4 scripting language
 php4-common - Common files for packages built from the php4 source
 php4-curl  - CURL module for php4
 php4-dev   - Files for PHP4 module development
 php4-domxml - XMLv2 module for php4
 php4-gd    - GD module for php4
 php4-ldap  - LDAP module for php4
 php4-mcal  - MCAL calendar module for php4
 php4-mhash - MHASH module for php4
 php4-mysql - MySQL module for php4
 php4-odbc  - ODBC module for php4
 php4-pear  - PHP Extension and Application Repository (transitional package)
 php4-pgsql - PostgreSQL module for php4
 php4-recode - Character recoding module for php4
 php4-snmp  - SNMP module for php4
 php4-sybase - Sybase / MS SQL Server module for php4
 php4-xslt  - XSLT module for php4
Closes: 336004 336645 339577 341726 343399 343791
 php4 (4:4.4.2-1) unstable; urgency=low
   * New upstream bugfix release, skipping the problematic 4.4.1 release:
     - Remove some PEAR cruft from 006-debian_quirks.patch, since we don't
       build PEAR from php4 anymore, and it conflicted with upstream diffs.
     - Remove 054-open_basedir_slash.patch, now integrated upstream.
     - Remove 055-gd_safe_mode_checks.patch, fixed differently upstream.
   * Many security vulns fixed (closes: #336645, #339577, #336004, #341726):
     - Fixes multiple cross-site-scripting vulnerabilities; CVE-2006-0208
     - Resolves multiple HTTP response splitting vulnerabilities, allowing
       arbitrary header injection via Set-Cookie headers; see CVE-2006-0207
     - Resolves a local denial of service in the apache2 SAPI, which can
       be triggered by using session.save_path in .htaccess; CVE-2005-3319
     - Resolves an infinite loop in the exif_read_data function which can
       be triggered with a specially-crafted JPEG image; CVE-2005-3353
     - Resolves an XSS vulnerability in the phpinfo function; CVE-2005-3388
     - Resolves a vulnerability in the parse_str function whereby a remote
       attacker can fool PHP into turning on register_globals, thus making
       applications vulnerable to global variable injections; CVE-2005-3389
     - Resolves a vulnerability in the RFC1867 file upload feature where, if
       register_globals is enabled, a remote attacker can modify the GLOBALS
       array with a multipart/form-data POST request; see CVE-2005-3390
     - Resolves numerous safe_mode and open_basedir bypasses; CVE-2005-3391
     - Resolves INI settings leaks in the apache2 SAPI, leading to safe_mode
       and open_basedir bypasses between virtual hosts; CVE-2005-3392
     - Resolves a CRLF injection vulnerability in the mb_send_mail function,
       allowing injection of arbitrary mail headers; see CVE-2005-3883
   * Bump libdb build-dep from 4.2 to 4.3, matching apache (closes: #343399)
   * Bump our MySQL build-dep to 5.0's libmysqlclient15-dev (closes: #343791)
   * Automate the process of getting the list of built-in modules into the
     package descriptions, so it stays fresh in the future (see: #341867)
   * Create 056-mime_magic_strings.patch, making the mime_magic extension
     more liberal about what mime-types is accepts, as well as making it skip
     over ones it dislikes, rather than disabling itself (see: #335674)
   * Add 057-no_apache_installed.patch, to stop spewing a mess of errors in
     configure because we don't have the apache binaries in the build chroot.
   * Fix small typo in the php4-xslt package description (see: #344816)
 c30822bc794b738318164dce3cbd2813 1791 web optional php4_4.4.2-1.dsc
 a7ae7ed8f2edf1592bd94eab91c634fa 5461440 web optional php4_4.4.2.orig.tar.gz
 34f22a7d636ee5633e9d4bf1f359f700 98122 web optional php4_4.4.2-1.diff.gz
 f998715b32c378f3bf807f615a4af7b4 173814 web optional php4-common_4.4.2-1_i386.deb
 0cd21985bca4226e533c9a4731994397 1601042 web optional libapache-mod-php4_4.4.2-1_i386.deb
 8b5a78625cdc4d4bb2a303904a54ca46 1598430 web optional libapache2-mod-php4_4.4.2-1_i386.deb
 602fd72bae58292412d62c1acf0f57e4 3182264 web optional php4-cgi_4.4.2-1_i386.deb
 6c622e3396abfa063d157a4337c35d6d 1598306 web optional php4-cli_4.4.2-1_i386.deb
 1e57f095a587a7f74ec14bba5b6a6778 201146 devel optional php4-dev_4.4.2-1_i386.deb
 6d4f480b9e3e37068bc721b0e467da5e 19074 web optional php4-curl_4.4.2-1_i386.deb
 dd9fc2d0ead5371d973f5f7705351953 38808 web optional php4-domxml_4.4.2-1_i386.deb
 ffc438a188862049f180de60edc5e0c3 33182 web optional php4-gd_4.4.2-1_i386.deb
 06d007059020c6de7d0d2d90a15f4256 20714 web optional php4-ldap_4.4.2-1_i386.deb
 7e6496393a8325dd7aefcd7aa8c34eed 17656 web optional php4-mcal_4.4.2-1_i386.deb
 2d70d0fee6300a5d53bc11dda3fc8c49 8800 web optional php4-mhash_4.4.2-1_i386.deb
 1094ad0bdb7d8eae5ba36929db6747af 22084 web optional php4-mysql_4.4.2-1_i386.deb
 68a5c49262af6f869f6ea25206376db8 28126 web optional php4-odbc_4.4.2-1_i386.deb
 3ac3eaa6f73a1925d9d6bba0d0df09e0 37050 web optional php4-pgsql_4.4.2-1_i386.deb
 18f3ff80db3a44ae73ad9ceb45bc117d 8496 web optional php4-recode_4.4.2-1_i386.deb
 f200925fa384c1269f0aec042c5b4577 14104 web optional php4-snmp_4.4.2-1_i386.deb
 15c2e244fbd5c5b60a9bff4b2d11dc72 21530 web optional php4-sybase_4.4.2-1_i386.deb
 55f8951b13a84e15bd6a1806f232d43c 17006 web optional php4-xslt_4.4.2-1_i386.deb
 51b8a4bd2bb5892cb072ca3740529212 1154 web optional php4_4.4.2-1_all.deb
 69d6a539bce90b2f35d9740fbb7827aa 1168 web optional php4-pear_4.4.2-1_all.deb

Version: GnuPG v1.4.2 (GNU/Linux)


More information about the pkg-php-maint mailing list